Source: OJ L 333, 27.12.2022, pp. 164–198Current language: EN
- Resilience of critical entities
Basic legislative acts
- CER directive
Article 15 Incident notification
Summary What does Article 15 of the CER directive say?
This article establishes the incident notification regime for critical entities, sitting naturally alongside the resilience obligations set out in Article 13.
It requires critical entities to report significant incidents to their competent authority, sets out the timeline for doing so, and creates a cascade of information-sharing obligations that flow upward — from critical entity to national authority, from national authority to other affected Member States, and, where an incident spans six or more Member States, from those national authorities to the Commission.
Important points:
- Report significant incidents to your competent authority within 24 hours of becoming aware, followed by a detailed report within one month.
- Competent authorities are required to share incident information with the single points of contact of other affected Member States where cross-border impact is identified.
- Submitting a notification under this article does not expose critical entities to increased liability.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Member States shall ensure that critical entities notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Member States shall ensure that, unless operationally unable to do so, critical entities submit an initial notification no later than 24 hours after becoming aware of an incident, followed, where relevant, by a detailed report no later than one month thereafter. In order to determine the significance of a disruption, the following parameters shall, in particular, be taken into account:
the number and proportion of users affected by the disruption;
the duration of the disruption;
the geographical area affected by the disruption, taking into account whether the area is geographically isolated.
Where an incident has or might have a significant impact on the continuity of the provision of essential services to or in six or more Member States, the competent authorities of the Member States affected by the incident shall notify the Commission of that incident.
Notifications as referred to in paragraph 1, first subparagraph, shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including any available information necessary to determine any cross-border impact of the incident. Such notifications shall not subject critical entities to increased liability.
On the basis of the information provided by a critical entity in a notification as referred to in paragraph 1, the relevant competent authority, via the single point of contact, shall inform the single point of contact of other affected Member States where the incident has or might have a significant impact on critical entities and the continuity of the provision of essential services to or in one or more other Member States.
Single points of contact sending and receiving information pursuant to the first subparagraph shall, in accordance with Union or national law, treat that information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.
As soon as possible following a notification as referred to in paragraph 1, the competent authority concerned shall provide the critical entity concerned with relevant follow-up information, including information that could support that critical entity’s effective response to the incident in question. Member States shall inform the public where they determine that it would be in the public interest to do so.
Relevant recitals
Recital 33 Incident notification and reporting
A mechanism for the notification of certain incidents should be established to allow the competent authorities to respond to incidents rapidly and adequately and to have a comprehensive overview of the impact, nature, cause and possible consequences of incidents with which the critical entities deal. Critical entities should notify, without undue delay, the competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Unless operationally unable to do so, critical entities should submit an initial notification no later than 24 hours after becoming aware of an incident. The initial notification should only include the information strictly necessary to make the competent authority aware of the incident and allow the critical entity to seek assistance, if required. Such a notification should indicate, where possible, the presumed cause of the incident. Member States should ensure that the requirement to submit that initial notification does not divert the critical entity’s resources from activities related to incident handling, which should be prioritised. The initial notification should be followed, where relevant, by a detailed report no later than one month after the incident. The detailed report should complement the initial notification and provide a more complete overview of the incident.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
essential service
Definition
critical entity